May 18, 2017

The Adylkuzz Botnet – An Uninvited Guest

The Adylkuzz cryptocurrency mining botnet is malware and it spread through the same one-two punch of EternalBlue/DoublePulsar that WannaCry utilized.

Look anywhere in the news today and it’s hard to miss coverage about WannaCry, the SMB exploit-loving ransomware that wormed its way into all our hearts. This piece of malware certainly proved a few points about the current state of cyber security – namely that patch management, network segmentation, asset management and perimeter defense are all areas that need to be taken more seriously.

In addition, however, while attempting to capture new samples of WannaCry in the wild over the weekend, a surprising discovery was made by security researchers: a similar piece of malware was already on the loose and had been performing its nefarious duties in a much less intrusive manner. More surprisingly, it had been active since mid-April, weeks before the more recent WannaCry outbreak. This malware was part of a more traditional botnet intended to use its victims to mine cryptocurrency, and it may have unintentionally taken the edge off of what WannaCry otherwise could have done.

This malware is the Adylkuzz cryptocurrency mining botnet and it spread through the same one-two punch of EternalBlue/DoublePulsar that WannaCry utilized. Instead of encrypting a victim’s files and holding them for ransom this malware simply eats resources on a machine to mine Monero cryptocurrency. The mining software uses spare processor cycles and memory to perform difficult computations. In addition to starting this mining process, the DoublePulsar payload delivered by the botnet also adds a firewall rule to block port 445 access, the SMB port that was used to infect the victim with this Adylkuzz botnet.

Since both the mining process and addition of a single firewall rule are relatively benign actions to a victim, the only real symptoms of infection would be a slightly sluggish workstation or server and potential loss of file shares. This minimal impact is probably what allowed the botnet to operate for weeks without detection. Additionally, its actions probably prevented the WannaCry epidemic from being as bad as it could have been since the victims of Adylkuzz could not be infected because the required port was no longer open.

More than 20 active exploitation hosts and more than a dozen C2 servers have been identified since discovery over the weekend, though there are probably additional exploitation/C2 servers remaining to be found.

As the dust begins to settle from this outbreak of infections a few questions remain:

What other malware has been utilizing these leaked exploits that may have gone unnoticed?

How will others change them to increase their usefulness?

What will organizations change to ensure that the next major release of exploits doesn’t result in a similar outcome?

Threat Research

Thanks to the analysis of Adylkuzz provided by Kaffeine and others we can provide information about the following IOCs:

Selection of Domain/IP Address

Date

Comment

45.32.52[.]8

2017-05-16

Attacking host

45.76.123[.]172

2017-05-16

Attacking host

104.238.185[.]251

2017-05-16

Attacking host

45.77.57[.]194

2017-05-14

Attacking host

45.76.39[.]29

2017-05-15

Attacking host

45.77.57[.]36

2017-05-15

Attacking host

104.238.150[.]145

2017-05-14

Server hosting the payload binary

08.super5566[.]com

2017-05-14

Adylkuzz C&C

a1.super5566[.]com

2017-05-02

Adylkuzz C&C

aa1.super5566[.]com

2017-05-01

Adylkuzz C&C

lll.super1024[.]com

2017-04-24

Adylkuzz C&C

07.super5566[.]com

2017-04-30

Adylkuzz C&C

am.super1024[.]com

2017-04-25

Adylkuzz C&C

05.microsoftcloudserver[.]com

2017-05-12

Adylkuzz C&C

d.disgogoweb[.]com

2017-04-30

Adylkuzz C&C

panel.minecoins18[.]com

2014-10-17

Adylkuzz C&C in 2014

wa.ssr[.]la

2017-04-28

Adylkuzz C&C

45.77.57[.]190

2017-05-15

Host presenting same signature as attackers

45.77.58[.]10

2017-05-15

Host presenting same signature as attackers

45.77.58[.]40

2017-05-15

Host presenting same signature as attackers

45.77.58[.]70

2017-05-15

Host presenting same signature as attackers

45.77.56[.]87

2017-05-15

Host presenting same signature as attackers

45.77.21[.]159

2017-05-15

Attacking Host

45.77.29[.]51

2017-05-15

Host presenting same signature as attackers

45.77.31[.]219

2017-05-15

Host presenting same signature as attackers

45.77.5[.]176

2017-05-15

Host presenting same signature as attackers

45.77.23[.]225

2017-05-15

Host presenting same signature as attackers

45.77.58[.]147

2017-05-15

Host presenting same signature as attackers

45.77.56[.]114

2017-05-15

Host presenting same signature as attackers

45.77.3[.]179

2017-05-15

Host presenting same signature as attackers

45.77.58[.]134

2017-05-15

Host presenting same signature as attackers

45.77.59[.]27

2017-05-15

Host presenting same signature as attackers

Select Dropped Samples

SHA-256

Date

Comment

8200755cbedd6f15eecd8207eba534709a01957b172d7a051b9cc4769ddbf233

2017-05-14

Adylkuzz.B spread via EB/DP

450cb5593d2431d00455cabfecc4d28d42585789d84c25d25cdc5505189b4f9f

2017-04-24

Adylkuzz.A (we are not sure that instance was spread via EB/DP)

a7000b2618512f1cb24b51f4ae2f34d332b746183dfad6483aba04571ba8b2f9

2017-05-14

s2bk.1_.exe

e96681456d793368a6fccfa1321c10c593f3527d7cadb1ff462aa0359af61dee

2017-05-14

445.bat (? seems to cleanup old variant of the coin miner and stop windows Update)

Resource Center

More security resources at your fingertips.

Armor is a global cybersecurity software company. We simplify protecting data and applications in private, public, or hybrid clouds as well as help organizations comply with major regulatory frameworks and controls. We know security is complex; it doesn’t have to feel that way.